Let me rephrase my question in another way (hopefully clearer):

NAS acting as EAP pass-thru' device

USER ----------------------  NAS -----------------------  FREERADIUS
+++++++EAP+++++++++==EAP over RADIUS==========  (****)

EAP over RADIUS uses EAP-Message attribute.


After EAP completes we have:

USER ----------------------  NAS -----------------------  FREERADIUS
 MSK                                                              MSK

...but the NAS needs the MSK to do whatever layer 2 encryption scheme..
..so...

USER ----------------------  NAS -----------------------  FREERADIUS
 MSK                              <================= MSK          (OOOO)
                                            HOW??

Ivan Kalik tnt@kalik.net suggests EAP-Message; but I think this is only
used in **** not in OOOO

Alan DeKok suggests 'Access-Accept for attributes named "key"'. I couldn't
find any such attributes, and further more where would you configure the
KEK (Key encryption key) to wrap the MSK?


I hope this makes more sense.

Example NAS:

The following NAS actually allows you to configure an AES Key Wrap secret
http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42sol.html#wp1236008

This document goes on to say that it works with "a key-wrap compliant RADIUS authentication server".
Is FreeRadius such
a "key-wrap compliant RADIUS authentication server".